Breadcrumbs

Migrate from TDE with the Oracle Wallet to TDE with SafeGuard CryptoServer

This chapter describes the migration from Oracle Wallet to HSM.

To demonstrate the integration of Oracle Database 11g (Release 2) TDE with SafeGuard CryptoServer solution initialize a PKCS#11 slot:

  1. Navigate with the explorer to the directory of the SafeGuard SecurityServer software installation and go into the PKCS#11 library directory (\Program Files\Utimaco\SafeGuard CryptoServer\Lib)

  2. Open the file PKCS#11 configuration file with double-click.

PKCS#11

cs2_pkcs11.ini

PKCS#11 R2

cs_pkcs11_R2.cfg

  1. Double check that the parameter device points to your SafeGuard CryptoServer hardware, e.g. PCI:0 for a pci card or 192.168.0.140 for a CryptoServer LAN appliance

  2. Save your changes, see also chapter 3.1.

  3. Check if the current PKCS#11 environment variable CS2_PKCS11_INI (CS_PKCS11_R2_CFG PKCS#11 R2) points to the edited PKCS#11 configuration file cs2_pkcs11.ini (cs_pkcs_R2.cfg PKCS#11 R2) file. If the variable does not exist, create it.

  4. Open a command line shell. (Start -> Run -> cmd.exe)

  5. Check if you can connect to the SafeGuard CryptoServer using p11tool respectively p11tool2:

PKCS#11

p11tool ListSlots

PKCS#11 R2

p11tool2 ListSlots


  1. Initialize the PKCS#11 slot 0 (you can use p11tool or the SafeGuard CryptoServerAdministration Tool (CAT) for the initialization):

PKCS#11

p11tool slot=0 InitToken=<SO_pin> p11tool slot=0 LoginSO=<SO_pin> InitPin=<HSM_passphrase>

PKCS#11 R2

p11tool2 slot=0 \

Login=<Administrative user,AuthenticationToken> \

InitToken=<SO_pin>

p11tool2 slot=0 LoginSO=<SO_pin> InitPin=<HSM_passphrase>


Make sure that the HSM_passphrase contains at least 8 characters (letters and numbers or special characters). Otherwise Oracle won't accept it as Oracle Wallet password!


To test Oracle Database 11g (Release 2) TDE with SafeGuard CryptoServer:

  1. Copy the PKCS#11 library cs2_pkcs11.dll respectively PKCS#11 R2 library cs_pkcs11_R2.dll (\Program Files\Utimaco\SafeGuard CryproServer\Lib) to %SYSTEM_DRIVE%\oracle\extapi\ [32,64]\hsm\Utimaco\<version>\).

For example:

C:\oracle\extapi\32\hsm\Utimaco\1.00.00\cs2_pkcs11.dll

You will have to create the directory manually first.

  1. Change the parameter METHOD of ENCRYPTION_WALLET_LOCATION in the file %TNS_ADMIN%\sqlnet.ora to HSM:

ENCRYPTION_WALLET_LOCATION =

(SOURCE = (METHOD = HSM)(METHOD_DATA =

(DIRECTORY = C:\oracle\WALLETS)))

  1. Before migration rename ewallet.p24 back to ewallet.p12 at C:\oracle\WALLETS and check the permission settings of the file: right-click ewallet.p12 > Properties > Security > Advanced > Edit > check "Include inheritable permissions from this object's parent" and click OK.

  2. Log back into the database:

SQL> connect system/password

  1. Migrate master encryption key from Oracle Wallet to HSM:

SQL> alter system set encryption key identified by <HSM_passphrase> migrate using <wallet_password>;

where:

  • HSM_passphrase

HSM_passphrase is the passphrase of the PKCS#11 user which has been given at the initialization of the PKCS#11 slot. The master key in the SafeGuard CryptoServer is not used for tablespace encryption in Oracle Database 11g R1. It still relies on the software wallet created in section 3.3, step 4 (since it is not possible to migrate the tablespace master key in Oracle Database 11g R1). In Oracle Database 11 Release 2, the two master encryption keys in the wallet are migrated to a unified master encryption key in the HSM.

  • wallet_password

wallet_password is the password for the software wallet created in section 3.3, step 4.

You can check all operations performed by HSM with the PKCS#11 log file cs2_pkcs11.log repectively cs_pkcs11_R2.log (PKCS#11 R2). For this purpose set the log level to highest level in the configuration file. (don't keep it this way because of performance loss; delete the log file afterwards) and set the log path to c:\temp.

  1. The next query returns the values listed in the encrypted column in plain text:

SQL> select credit_limit from oe.customers where rownum < 15;

Transparent Data Encryption decrypts them automatically, now using the HSM master key.

  1. Close the wallet:

SQL> alter system set encryption wallet close;

In Oracle Database 11g Release 2, the command to close the wallet has been changed to:

SQL> alter system set encryption wallet close identified by <your_wallet_password>;

  1. Exit from your SQL*Plus session:

SQL> exit

  1. Start Oracle Wallet Manager (Start -> Programs -> Oracle -> OraDB11g_home1 -> Integrated Management Tools -> Wallet Manager).

  2. Open the software-based wallet by navigating to the wallet directory C:\oracle\WALLETS and click Change Password. Use the same string you used for the HSM (HSM_passphrase) as the new password for the software based wallet. Click Save and then click Exit.

  3. Log back into the database:

SQL> connect system/password

SQL> alter system set wallet open identified by <HSM_passphrase>;

Now that the password for the Oracle Wallet and HSM are the same, both are opened with one command. If a password change is not feasible, use an auto-open wallet and rename or remove the wallet from the ENCRYPTION_WALLET_LOCATION specified in sqlnet.ora.

:warning:

NEVER delete the encryption wallet, and NEVER forget the password of the encryption wallet.

  1. Verify that HSM is now used for master key storage as well (migration is a re-key operation for the master key for column encryption in Oracle Database 11g R1, or for both master encryption keys in Oracle Database 11g Release 2):

SQL> select * from v$encryption_wallet;

  1. Create an encrypted tablespace, using the master encryption key from the software wallet in Oracle Database 11g R1, or the unified master key from the HSM with Oracle Database 11g Release 2:

SQL> CREATE TABLESPACE securespace2

DATAFILE 'C:\app\Administrator\oradata\orcl\secure02.dbf'

SIZE 10M ENCRYPTION DEFAULT STORAGE(ENCRYPT);

  1. Check if the new tablespace is listed and marked as encrypted:

SQL> select tablespace_name, encrypted from dba_tablespaces;

  1. Now test re-keying of the master encryption key in HSM and check column encryption one more time:

SQL> alter system set encryption key identified by

<HSM_passphrase>;

Verify that a new master encryption key is created in HSM by watching the logfile cs2_pkcs11.log.

The encryption key for the individual table OE.CUSTOMERS is now encrypted with the new master key:

SQL> select credit_limit from oe.customers where rownum < 15;

  1. Remove the master key from the database memory:

SQL> alter system set encryption wallet close

[identified by <HSM_password>];

  1. And try listing encrypted data again which shouldn't work this time:

SQL> select credit_limit from oe.customers where rownum < 15;

fails because no access to master key.

  1. Exit from your SQL*Plus session:

SQL> exit